I'm working on a problem at the moment where I have 2 Internet connections each with their own Interface on an ASA running 8.2(5). What I want to be able to do is host different web sites on each ISP's ranges but I'm banging my head against a wall at the moment trying to either get the routing or NATing to work in a satisfactory way.
The default route is via one of these Internet connections and obviously the website hosted on this Interface is working fine.
To get another website hosted on the other ISP or interface - traffic is getting blackholed as it is being routed in the 2nd ISP interface and then trying to be routed back out the 1st ISP interface.
I thoguht I could overcome this using Policy Based Routing but ASA does not support this. I'm also aware that I can overcome this problem by upgrading the ASA code to 8.3 or 8.4 where the NAT will overide the Routing table
I'm vaguely thinking that there might be a way to overcome this using clever NAT but not been able to figure it out yet. A lot of other Forum posts have sugested that you can use Policy NAT (either Static or Dynamic) or a Dynamic NAT to get the second NAT working and overcome this routing problem but all of these options seem to define a specific source where I need to allow ANY Source on either connection. (Connections inbound to the webservers originating from anywhere on the Internet).
I toyed with the idea of Source NAT'ing traffic coming in on the 2nd ISP connection so that it would appear to originate from an IP in the same network. This would overcome the routing problem but not ideal as WebServer logs would see all connections originating from this IP as opposed to the real IP on the Internet.
My current (relevant) congfiguration looks something like this:
Re: (Twice?) NAT on ASA 8.2 for second ISP Connection
Have you thought about getting a router in front of your ASA to handle the Policy Based Routing?
I mean just simply configuring the ASA with 2 different public IP addresses for the servers hosting websites and then on the router assigning the correct ISP default gateway based on the public source address of the web server?
This way you would have a single outside interface on the ASA and 2 different public network ranges router towards that outside interface of the ASA from the router.
To my understanding you can't handle this situation with the ASA alone. I'm managing a couple of customer networks that have Dual ISP and the routing is always handled with a router in front of the ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...